Funds Begin Sending Out Privacy Policies

The first wave of privacy disclosures are appearing in mutual fund prospectuses and first quarter 2000 account statements being mailed to fund investors.

While some fund groups are early to comply with the new SEC privacy disclosure regulation which goes into effect July 1, others are still developing the text for explaining to prospective and existing shareholders how the firms obtain personal information about them and what they do with it once it is collected. Regulators want to be sure investors understand if any personal information is likely to be shared with third-parties, and if so, with whom.

On March 1, AIM Management of Houston began distributing statements of its privacy policies in its mutual fund prospectuses, annual reports and on its website, said Stephen Graddy, an AIM spokesperson. Investors would be hard-pressed to miss the full-page disclosure which carries a large photo of a lock. The privacy policy appears on the back cover of new prospectuses.

On March 23, Montgomery Funds of San Francisco filed a prospectus amendment that announced its privacy policies as well as those of its distributor, Funds Distributor of Boston.

The two-paragraph disclosure explains that Montgomery and its distributor collect non-public information about individuals from their new account applications, conversations with financial representatives, transactions executed by fund investors and electronic sources such as e-mails or websites.

It further states that neither firm releases this information to non-affiliated third-parties without a customer's explicit authorization, unless that information must be disclosed in order to provide service to an account, such as in cases where the group's transfer agent or related broker requires the information.

In its privacy disclosure, Montgomery also said the firm maintains "physical, electronic and procedural safeguards" to protect this personal data.

ALPS Distributors of Denver, which changed its name from ALPS Mutual Fund Services on April 2, filed a privacy statement March 29 with the SEC on behalf of Financial Investors Trust Money Market Funds, which manages three money funds. ALPS is the administrator for the group.

The statement says that customer information, which includes names, addresses, social security numbers, investment goals and risk tolerances, is collected from client applications and that no information will be released unless a client gives consent or the company is required by law to do so.

"We will only use information about our customers and their accounts to help us better serve their investment needs or to suggest services or educational materials that may be of interest," says the ALPS privacy notice. "We consider our customers' data to be private and confidential, and we hold ourselves to the highest standards of trust and fiduciary duty in their safekeeping and use," the notice says.

The disclosures were mandated by the Gramm-Leach-Bliley Act of 1999. The act requires all financial institutions, including investment advisers and investment companies, to adopt policies and procedures to insure the security and confidentiality of personal customer information. Fund companies will be required to provide a statement of privacy policies and practices when customer relationships are established, and annually after that.

The regulatory initiative was undertaken with the recognition that privacy can be particularly vulnerable in light of technological advances, said Paul Roye, director of the SEC's division of investment management in a speech in January.

"As we look toward ensuring that regulatory oversight keeps pace with technology, we recognize that issues of privacy must keep pace with technology as well," he said. "Whether an investor provides information through traditional or electronic means, the confidentially of the information is protected by law."

Privacy policies are not new to fund groups. Many of them have been addressing online privacy concerns by providing disclosures about their online privacy policies at their websites.

The new privacy disclosure requirements are fairly clear for stand-alone mutual fund companies, said Carl Frischling, an attorney with Kramer, Levin, Naftalis & Frankel in New York. But compliance can be more difficult when the financial institution is a broad financial services conglomerate, he said.

"When you have an expansive financial services company with a broker/dealer, insurance company and a bank, where affiliates have other products, that creates some additional compliance issues," said Frischling. In those cases, the existence of firewalls between the various units must be described so that individuals understand what information will be shared among various business units.

Last September, John Hancock Financial Services of Boston assembled a committee to begin drafting a single privacy disclosure document for its insurance, investment management and securities dealer business units, said Linda Pollard, director of client relations at the firm.

Hancock began sending the two-page privacy notices to its life insurance, long-term care and annuity policyholders in early February. The notices are currently being mailed to its mutual fund customers with their quarterly statements, Pollard said.

It was a challenge for Hancock to adopt a single policy for all the business units. For example, Hancock's policy states that for those customers applying for insurance, Hancock may collect information from a customer's medical provider and medical vendors. To allay concerns that might arise among mutual fund and annuities customers, the company added a notation that read that it did not collect, "medical or health information, nor do we request financial information from consumer reporting agencies," about its mutual fund and annuities customers.

Frischling recommends that fund groups get their boards of directors involved in the disclosure process. While there is no formal requirement that boards provide privacy disclosure oversight or that boards approve policies, he believes boards should receive periodic reports regarding the status of policies and systems put in place to secure personal information.